[Pkg-openldap-devel] Bug#444172: slapd: accepts incorrect passwords

Pawel Palucha pawel at praterm.com.pl
Wed Sep 26 14:50:52 UTC 2007 

Package: slapd
Version: 2.3.38-1
Severity: normal


When binding to slapd I can pass any password that starts with correct
password and it is accepted (for example, if password is '1234', also
'12345' is accepted). Checked with python bindings and apache ldap_auth
module. {CRYPT} is used to hash passwords.

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-5-xen-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/bash

Versions of packages slapd depends on:
ii  adduser                  3.105           add and remove users and groups
ii  coreutils                5.97-5.4        The GNU core utilities
ii  debconf [debconf-2.0]    1.5.14          Debian configuration management sy
ii  libc6                    2.6.1-5         GNU C Library: Shared libraries
ii  libdb4.2                 4.2.52+dfsg-3   Berkeley v4.2 Database Libraries [
ii  libiodbc2                3.52.5-1+b1     iODBC Driver Manager
ii  libldap-2.3-0            2.3.38-1        OpenLDAP libraries
ii  libltdl3                 1.5.24-1        A system independent dlopen wrappe
ii  libperl5.8               5.8.8-7         Shared Perl library
ii  libsasl2-2               2.1.22.dfsg1-14 Authentication abstraction library
ii  libslp1                  1.2.1-7         OpenSLP libraries
ii  libssl0.9.8              0.9.8e-6        SSL shared libraries
ii  libwrap0                 7.6.dbs-14      Wietse Venema's TCP wrappers libra
ii  perl [libmime-base64-per 5.8.8-7         Larry Wall's Practical Extraction 
ii  psmisc                   22.5-1          Utilities that use the proc filesy

Versions of packages slapd recommends:
ii  libsasl2-modules         2.1.22.dfsg1-14 Pluggable Authentication Modules f

-- debconf information:
  slapd/fix_directory: true
  shared/organization:
  slapd/upgrade_slapcat_failure:
  slapd/backend: BDB
* slapd/allow_ldap_v2: false
* slapd/no_configuration: true
  slapd/move_old_database: true
  slapd/suffix_change: false
  slapd/slave_databases_require_updateref:
  slapd/dump_database_destdir: /var/backups/slapd-VERSION
  slapd/autoconf_modules: true
  slapd/domain:
  slapd/password_mismatch:
* slapd/invalid_config: false
  slapd/upgrade_slapadd_failure:
  slapd/dump_database: when needed
  slapd/migrate_ldbm_to_bdb: false
  slapd/purge_database: false

More information about the Pkg-openldap-devel mailing list